Computer networks are often configured to incorporate network security systems in order to protect the networks against malicious activity. Such malicious activity can include, for example, deployment of malware that is utilized by attackers to create networks of compromised computers or “botnets.”
Network security systems can be designed to protect a computer network of a large enterprise comprising many thousands of host devices, also referred to herein as simply “hosts.” Such enterprise computer networks are in many cases continuously growing in size, and often incorporate a diverse array of host devices, including mobile telephones, laptop computers and tablet computers.
Moreover, recent years have seen the rise of increasingly sophisticated attacks including advanced persistent threats (APTs) which can pose severe risks to enterprises. These APTs are typically orchestrated by well-funded attackers using advanced tools to adapt to the victim environment while maintaining low profiles of activity. As a result, anti-virus software, firewalls, web proxies and other traditional security technologies typically deployed by enterprise network security systems today often fail at detecting and remediating malicious activity at a sufficiently early stage.
An important issue that arises in this context relates to communications between security agents deployed on host devices and a command and control server of a network security system. In many cases, when a host device is infected with malware, the malware can disable the security agent and mimic its expected communications, thereby further undermining security and making the malware infection significantly more difficult to detect and remediate.